SKS Egress Security Groups filtering notice
If you want to harden your networking policies you may consider implementing egress security groups. This will drop all outbound traffic from your SKS cluster by default, and you will need to explicitly allow traffic for your workloads.
WARNING
This setup is for advanced users only. Make sure you understand the implications of modifying egress traffic before proceeding. Egress filtering make debugging more complex.
SKS mandatory rules
Before adding any egress rules, you need to define the rules listed in the table below.
| Name | Protocol | Network | Port | Flow | Security Group |
|---|---|---|---|---|---|
| NTP service | UDP | 0.0.0.0/0 | 123 | egress | |
| DNS service (TCP) | TCP | 0.0.0.0/0 | 53 | egress | |
| DNS service (UDP) | UDP | 0.0.0.0/0 | 53 | egress | |
| Container images pull | TCP | 0.0.0.0/0 | 443 | egress | |
| SKS inter-node | TCP | 1-65535 | egress | sks-egress-security-group | |
| SKS API | TCP | 1-65535 | egress | public-sks-apiservers |
You can provision those rules from the CLI with the following commands:
# create the security group
exo compute security-group create sks-egress-security-group
# allow NTP service
exo compute security-group rule add sks-egress-security-group \
--description "NTP service" \
--protocol udp \
--network 0.0.0.0/0 \
--flow egress \
--port 123
# allow DNS resolution for TCP protocol
exo compute security-group rule add sks-egress-security-group \
--description "DNS service (TCP)" \
--protocol tcp \
--network 0.0.0.0/0 \
--flow egress \
--port 53
# allow DNS resolution for UDP protocol
exo compute security-group rule add sks-egress-security-group \
--description "DNS service (UDP)" \
--protocol udp \
--network 0.0.0.0/0 \
--flow egress \
--port 53
# allow Container images pull
exo compute security-group rule add sks-egress-security-group \
--description "Container images pull" \
--protocol tcp \
--network 0.0.0.0/0 \
--flow egress \
--port 443
# allow SKS inter-node communication
exo compute security-group rule add sks-egress-security-group \
--description "SKS inter-node" \
--protocol tcp \
--port 1-65535 \
--flow egress \
--security-group sks-egress-security-group
# allow SKS API communication
exo compute security-group rule add sks-egress-security-group \
--description "SKS API" \
--protocol tcp \
--port 1-65535 \
--flow egress \
--security-group public-sks-apiserversSee Also
- A breakdown of Exoscale Security Groups